Coding errors in PHP and MYSQL

Question

I followed a youtube tutorial which teaches you how to create an edit and delete data page for PHP and MYSQL but for some reason why code isn't working. Two error messages showed up:

Notice: Undefined variable: _Get in C:\Users\siaw_\PhpstormProjects\Report Page\modify.php on line 6

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\Users\siaw_\PhpstormProjects\Report Page\modify.php on line 8

I followed the tutorial exactly the way it is... I have very limited knowledge on PHP & MYSQL so please figure out the error on line 6 and 8?

Here is the code:

<?php

include 'connect.php';

if(!isset($_POST['submit'])) {
    $q = "SELECT * FROM people WHERE ID = $_Get[id]";
    $result = mysql_query($q);
    $person = mysql_fetch_array($result);
}

?>

<h1>You Are Modifying A User</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    Name <input type="text" name="inputName" value="<?php echo $person['Name']; ?>" /><br />
    Description <input type="text" name="inputDesc" value="<?php echo $person['Description']; ?>" />
    <br />
    <input type="hidden" name="id" value="<?php echo $_GET['id']; ?>" />
    <input type="submit" name="submit" value="Modify" />
</form>

<?php

if(isset($_POST['submit'])) {
    $u = "UPDATE people SET `Name`='$_POST[inputName]', `Description`='$_POST[inputDesc]' WHERE ID = $_POST[id]";
    mysql_query($u) or die(mysql_error());

    echo "User Has Been Modified";
    header("Location: index.php");

}
?>

Also here is the youtube link which I used (https://www.youtube.com/watch?v=kc1bppUlqps)

Try `$_GET`. This also is open to SQL injections. Is the URL `?id=someinteger`? — chris85, Feb 17 '16 at 01:05
That tutorial also is out of date and insecure, try one from 2013+. You should use `PDO` or `MYSQLi` and separate user input from your SQL. — chris85, Feb 17 '16 at 01:08
$_GET is a superglobal and MUST be in uppercase. That's why you're getting that error. — Funk Forty Niner, Feb 17 '16 at 01:13
@chris85 budiantoip's answer helped solved my issue. But thank you helping :) But to answer your question my URL was this "Modify User" — Richard Siaw, Feb 17 '16 at 01:13

Logan Wayne · Answer 1 · 2016-02-17T01:26:34.153

You should bind properly the variables into your query
You should also sanitize your variables before using them into your query by using *_real_escape_string()
I think your page will have an error when the first isset($_POST["submit"]) condition was not met.

Sanitize your variable(s) first:

$id = mysql_real_escape_string((int) $_GET["id"]);

Bind them to your query:

$q = "SELECT * FROM people WHERE ID = '$id'";

Note that mysql_* is already deprecated and you should consider at least the mysqli_*.

But...mysql is deprecated :(

If you are interested with mysqli_*, you can check this:

First, we have to connect to your database (connection.php) using mysqli_*:

$conn = new mysqli("Host", "Username", "Password", "Database"); /* REPLACE NECESSARY DATA */

/* CHECK CONNECTION */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

Then for your php file where you process the $_GET["id"]:

if(isset($_POST['submit'])) {

  $stmt = $con->prepare("SELECT Name, Description FROM people WHERE ID = ?"); /* PREPARE THE QUERY */
  $stmt->bind_param("i", $_GET["id"]); /* BIND $_GET["id"] TO YOUR QUERY; i STANDS FOR INTEGER TYPE */
  $stmt->execute(); /* EXECUTE YOUR PREPARED QUERY */
  $stmt->bind_result($name, $description); /* BIND THE RESULTS TO THESE VARIABLES CORRESPONDINGLY */
  $stmt->fetch(); /* FETCH THE RESULTS */
  $stmt->close(); /* CLOSE THE PREPARED STATEMENT */

}

/* YOUR HTML CODE HERE */

if(isset($_POST['submit'])) {

  $stmt = $con->prepare("UPDATE people SET Name = ?, Description = ? WHERE ID = ?");
  $stmt->bind_param("ssi", $_POST["inputName"], $_POST["inputDesc"], $_POST["id"]); /* s STANDS FOR STRING TYPE */
  $stmt->execute();
  $stmt->close();

  echo "User Has Been Modified";
  header("Location: index.php");

}

The guy above you, budiantoip, beat you to it haha but your answer also helped fixed my problem, thank you so much! :D — Richard Siaw, Feb 17 '16 at 01:17
Thank you for the mysqli_* information! :) I may not have used it now but it'll definitely come in handy in the future so thanks very much!!! :D — Richard Siaw, Feb 17 '16 at 01:31

score 1 · Accepted Answer · answered Feb 17 '16 at 01:05

You need to put the $_GET outside, and also your $_GET syntax is incorrect, try to change :

if(!isset($_POST['submit'])) {
    $q = "SELECT * FROM people WHERE ID = $_Get[id]";
    $result = mysql_query($q);
    $person = mysql_fetch_array($result);
}

with this one :

if(!isset($_POST['submit'])) {
    $id = $_GET['id'];
    $q = "SELECT * FROM people WHERE ID = $id";
    $result = mysql_query($q);
    $person = mysql_fetch_array($result);
}

Thank you so very much!!! That solved it :D – Richard Siaw Feb 17 '16 at 01:11 — Richard Siaw, Feb 17 '16 at 01:11

Coding errors in PHP and MYSQL

2 Answers2

But...mysql is deprecated :(